CVE-2025-68783
BaseFortify
Publication date: 2026-01-13
Last updated on: 2026-01-19
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is in the Linux kernel's ALSA usb-mixer driver for the us16x08 device. The function get_meter_levels_from_urb() parses 64-byte meter packets from the device and fills arrays for meter levels, compression levels, and master levels. The vulnerability occurs because the function derives the channel index directly from the packet without validating it. If the packet contains a negative or out-of-range channel number, the driver may write beyond the bounds of these arrays, potentially causing memory corruption. The fix involves validating the channel index before using it to update the arrays, rejecting negative indices, and limiting indices to the maximum allowed channels.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds writes in kernel memory due to improper validation of channel indices from device packets. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, compromising system security.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch or update to a Linux kernel version that includes the fix for this vulnerability, which validates meter packet indices in the ALSA usb-mixer us16x08 driver to prevent out-of-bounds writes.